Cross Site Request Forgery in PHP

Cross-Site Request Forgery in PHP | SecureFlag Security Knowledge Base

The prevention of

PHP Not available for CSRF Built in protection against attacks ; Developers must implement it manually by checking session tokens or using one of many well tested libraries and frameworks .

PHP

The following steps show how action.php?do=logout Use Synchronizer Token Pattern Protect endpoints from CSRF attack .

1. After successful verification , A random token will be generated in a secure manner and stored as a user's session variable .

<?php
$_SESSION["csrf_token"] = bin2hex(random_bytes(32));
?>

1. Now? , Any request for a state change endpoint action.php?do=logout The token must be used as HTTP Parameter passing . The following code snippet shows how to write <a href> Mark the token as GET Parameter passing .

<a href="action.php?do=logout&csrf=<?php echo $_SESSION["csrf_token"]; ?>">

1. The following code snippet shows how to protect a form by passing a token as a hidden field .

<form>
   <input type="hidden" name="csrf" value="<?php echo $_SESSION["csrf_token"]; ?>">
</form>

1. This document action.php Now you must verify before executing the protected code csrf Parameters that match the token stored in the user session . Use a secure hash comparison function , for example PHP hash_equals().

if (!empty($_REQUEST["csrf"]) && hash_equals($_REQUEST["csrf_token"], $_SESSION["csrf_token"])) {
   // The token is correct, execute the functionality.
}
else {
   die("Anti CSRF token is missing or wrong.");
}

OWASP CSRF Protector

OWASP CSRF Protector It's an independent php library , be used for Web In the application CSRF relieve . according to Project page Install according to the instructions on . In order to use it , Just include the library and call init() function .

<?php
include_once __DIR__ .'/vendor/owasp/csrf-protector-php/libs/csrf/csrfprotector.php';

// Initialise CSRFGuard library
csrfProtector::init();

Symfony frame

Symfony By default, the form component provides automatic CSRF Protect . Other types of resources , As usual HTML Form or any other state change route , Must be generated and checked manually CSRF Token to explicitly protect .

Consider using conventional HTML Form to delete resources . First , Use csrf_token()Twig Function generates a CSRF token , And store it as a hidden form field .

<form action="/delete" method="post">
    <input type="hidden" name="token" value="{
     { csrf_token('action-delete') }}"/>
</form>

then , Get in the controller action CSRF The value of the token , And use isCsrfTokenValid() To check its effectiveness .

public function delete(Request $request)
{
    $submittedToken = $request->request->get('token');

    if (!$this->isCsrfTokenValid('action-delete', $submittedToken)) {
      // The token is not correct, redirect to the index.
      return $this->redirectToRoute('index');     
    } 

    // The token is correct, execute the functionality.
}

Reference resources

OWASP - Cross Site Request Forgery memo MITRE - CWE 352 OWASP - CSRF Protector Symfony - How to achieve CSRF Protect